At Tullow, we recognise that effectively
managing risks and opportunities is essential to our long-term success. Our ability to identify, assess and successfully manage current and emerging risks is critical in ensuring we achieve our strategic objectives and protect shareholder value.
Risk oversight and governance
A risk-focused culture and consistent risk management framework are embedded across Tullow at all levels and are driven by the Board. The Board is responsible for
ensuring we maintain an effective risk management and internal control system and it works closely with the SLT to ensure this is in place. The Board oversees the identification, assessment and mitigation of the risks that could affect our business, including those risks that could threaten our strategy, operating model, performance, solvency and liquidity.
The Audit Committee oversees risk management and internal control processes across the Group to ensure that they are effective. The Audit Committee is also responsible for overseeing our internal audit programme and, with the support of the SLT, undertakes an annual review of internal control effectiveness, which it reports to the Board.
The latest internal control effectiveness review was undertaken and reported to the Board in November 2024. The effectiveness of internal controls was again considered by the Board in February 2025 as part of the Annual Report approval process. See pages 89 and 90.
The SLT is collectively responsible and accountable for the risk management processes that operate across Tullow, with individual members taking ownership for risks that fall in their business area.
Tullow’s risk governance framework is illustrated below.
Risk management framework
Our risk management framework (see below) takes a ‘top-down, bottom-up’ approach and is embedded
throughout Tullow. This structure ensures ownership and responsibility for identification, assessment and management of key risks and opportunities at all levels of the Company.
Board
- Sets risk appetite.
- Oversees identification, assessment of and response to principal risks.
- Monitors effectiveness of risk management process.
Audit Committee
- Oversight of risk management and internal control processes.
- Oversees independent, objective and competent internal audit function.
- Oversight of compliance with legal, ethical and regulatory expectations.
Senior Leadership Team
- Sets tone for an effective risk management culture.
- Identifies and assesses principal risks.
- Determines principal risk mitigation actions and monitors their effectiveness.
- Oversees and supports business leadership’s risk identification processes and challenges their risk assessments.
Business management
- Identifies risks.
- Implements controls to manage and mitigate risks.
First line of defence
(ownership and management)
Business leadership
- Sets framework and embeds effective risk management practices.
- Challenges business management on risks identified and their management.
- Monitors compliance with fundamental standards.
- Undertakes regular reviews.
Second line of defence
(risk management oversight)
Internal audit
- Undertakes risk-based internal audit reviews of governance, and internal controls across all levels of the Group.
- Identifies areas for improvement and monitors implementation of actions to address.
Third line of defence
(independent assurance)
Our principal risks
During the year, the Company’s risk profile has been closely monitored. The external economic and political landscape including the war in Ukraine, inflationary pressures and oil price volatility have not resulted in any new risks or material changes to existing risks.
Our assessment of the likelihood of our principal risks occurring and the potential impact after taking into account the risk management processes and mitigation actions we implement is summarised below.
1. Business plan not delivered | |
Category: Strategy | |
2. Asset integrity breach | |
Category: Health & safety and security | |
3. Value not unlocked | |
Category: Strategy | |
4. Geopolitical risk | |
Category: Stakeholder and Financial | |
5. Climate change | |
Category: Stakeholder | |
6. Major accident event | |
Category: EHS | |
7. Insufficient liquidity and funding capacity to sustain business | |
Category: Financial | |
8. Capability cannot be attracted, developed or retained | |
Category: Organisation | |
9. Compliance or regulatory breach | |
Category: Conduct | |
10. Major cyber-disruption | |
Category: Cyber |